17:50: Forming and incident team?
For everyone forming incident response team, it is worse to read:
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

19:29: Ukraine joined GSP Microsoft program
Now Ukraine a part of Microsft GSP, what means that Ukraine is in n 65 geographic markets with intellectual property regimes that meet international standards. See:
  http://www.microsoft.com/resources/sharedsource/gsp.mspx
  http://dstszi.gov.ua/dstszi/control/uk/publish/article?art_id=79136&cat_id=38710

22:10: How syn-flood protection affects port scanning results
In case you're getting may opened ports during port scan , that might mean that firewall in the middle has syn flood protection. This issue was recently raised in pen-test mailing list. The answer was syn-proxy (syn-cookie) option turned on the juniper firewall. IMHO it is also good practice not to completely rely on syn-scan (-sS nmap), but also do tcp scan (-sT).

00:00: Possible weak realisation in DNSSEC infrastructure
It is discussed in cryptography mailling list about possible weak implementation of DNSSEC infrastructure. Specifically key length for zone keys:
  http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html

It is common opinion on the list that 1024bit RSA seems too small in perspective of several years. Other interesting points is that so small key length was taken due DNS UDP packets nature, as long packets much less reliable to deliver. Also blog's author reminds everyone that changing keys frequently does add only linear strengthen of encryption - and this is too weak, as for attacker linear complexity is a usually simple to solve task.
By the way, 512 bit keys are proven to be broken:
  http://www.schneier.com/blog/archives/2009/09/texas_instrumen.html

19:57: Web applications vulnerabilities
For everyone in security field it is worse to have a look at recently published web application vulnerabilities statistics prepared by WASC:
  http://projects.webappsec.org/Web-Application-Security-Statistics

Top two of them are:
 - Cross-site scripting
 - Information leakage

I'm pretty sure that both of them can be covered by proper security development lifecycle and does not require tremendous skills from tester to test. This shows on how small priority has security testing for web projects.

22:56: CIA - from where it comes?
It is interesting to know that CIA (Confidentiality, Integrity, Availability) definitions often taken from FIPS PUB 199:
  Standards for Security Categorization of Federal Information and Information Systems
  http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

And FIPS takes it in own turn from United States Code: 
  http://www.law.cornell.edu/uscode/44/usc_sec_44_00003542----000-.html

( Read more... )

10:37: Pen test methodology
Here is what I require from pen-test providers in Ukraine:
  http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

Tags: pen-test

10:25: More about N-tired protection
How hackers work to infect your PC? Let's cover a bit a common way:

JavaScript which sends browser to exploit -> Exploit which downloads loader -> loader downloads main body.

I will show you the details:
( Read more ... )


Tags: antivirus, cisco, ips

20:32: I work for ING Bank Ukraine as IT Security Architect
Responsible for the security of IT across all platforms and applications, voice and data across all facets of ING Bank Ukraine’s banking operations. Have wide skills in IT security, system administration, programming, audit, incident response handling.

Complete CV available here:
  http://docs.google.com/Doc?id=dhdxn2g6_3g5bxk5

00:28: Cisco IPS manager after not clean shutdown
After unclean shutdown my IPS manager express stopped to query events from the sensor. It just show "No events...". However I've successfully fixed it!  IME uses mysql inside. The problem was in the corrupted table, which I have to repair.
( Read more ... )



Tags: cisco, ips

18:18: What antivirues are good
Recently I've caught a best in a wild. Only 10/36 (27.78%) determined that this was a trojan. Take it into an account when selecting antivirus.
 
( Read more ... )

18:00: Add/remove windows components from cmd
Some times you can meet that Add/Remove windows components tab is disabled in Add/Remove programms applet. Invoke

%windir%\system32\sysocmgr.exe /i:%windir%\inf\sysoc.inf

and vualia - you're managing the components in separate window.

00:00: MARS backup
I've successfully setupped mars backups to NFS on Windows using MS SFU.
Hit some problems due turned off v3 NFS and tcp support. Also I had to reboot MARS appliance. Keep v3 support enabled!

Tags: cisco, mars

23:42: IPS manager integrates with wireshark
I'll will put some opinions about cisco IPS. I've been working with it both in ASA AIP-SSP and IDSM forms, no much difference.
( Read more... )

Tags: cisco, ips

21:55: Make vpn setupping easy!
Very helpful script :-) Other VPN party should run it to test, instead of manually invoking by hand

:Start

telnet www.com.ua 80

GOTO Start

23:08: self signed certificate under windows after 5 minutes
Recently I had to create a self-signed certificate very quickly under windows!. This was achieved for 5 minutes. Are you faster?
( Read more ... )

22:40: Does nmap sucks UDP?
Continuing my previous post about nmap, I need to tell that nmap lucks good support for UDP. Most UDP services will do not respond to malformed or 0-length udp packets. Here is helps unicornscan which has good database of payloads. Sorrely it does not contain all TOP 10 upd ports from nmap's author "Scanning Internet", but anyway helps us. Alternatively you can utilize different utilites: ike-scan, nbtscan.

unicornscan -r5 -mU -I network/24:53,123,137,500

will find much more than

nmap -sU -p 53,123,137,500

It is possible to do use your own nmap-service-probes file as well, and write your own probe packets. (Use the --datadir option.) But I have not checked it yet. Default database of nmap probes lacks isakmp. Though it successfully finds DNS:

  nmap  -p 53 host.ua  -P0 -sUV

PORT   STATE SERVICE VERSION
53/udp open  domain  ISC Bind 9.X


Using amap was unsuccessful to identify ISAKMP, DNS - success.
 amap -u host.ua 53

root@localhost:~/soft/framework-3.1# amap -u  matrix.ua 53
amap v5.2 (www.thc.org/thc-amap) started at 2008-09-07 12:40:03 - MAPPING mode

Protocol on xxxxx:53/udp matches dns-djb
Protocol on xxxx:53/udp matches dns
Protocol on xxxx:53/udp matches dns-ms
Protocol on xxxx:53/udp matches dns-bind9

Unidentified ports: none.

amap v5.2 finished at 2008-xxx 12:40
Using metasploit  scanner/discovery/sweep_udp was unsuccessfull to identify ISAKMP, DNS- success.

./msfconsole
use scanner/discovery/sweep_udp
set RHOSTS net/24
run
[*] Discovered DNS on ::ffffxxxxx.xxxx.xxxx (000000000100c00c00020003000000000002c00c)
[*] Auxiliary module execution completed

19:21: What hosts others see in your AS?
What hosts hackers can discover on your corporate network? Are you sure that your firewall rules applied
correctly. I'm not. We need to check them when we have limited time, what nmap options to use? "-sS -p 1-65535 -P0" most probably will perform good precision scan, but have we time for it? As alternative we can speedup the scan:

nmap -iL targets -oN output_data -v -n -sP -PE -PP -PS21,22,23,25,53,80,88,143,443,445,1433,1521,3389,8080 -PA80,443 --source-port 53


The ports takein from TOP10 dschield ports and from my own mind. The limitations - is that we scan only TCP ports and do not perform UDP service discovery.

21:00: OpenSSL & latest Windows
To run OpenSSL binaries on latest Windows (Vista, XP, 2003), do not forget to install visual studio 2008 redistributable, otherwise binaries won't start and in event log you'll find complains regarding absence of VC90.CRT:

11:11: Backup continued... RedHat

This is a brief steps of how to restore RedHat OS from veritas netbackup:



Tags: redhat